Publication Citation: Jancar, J., V. Sedlacek, P. Svenda, and M. Sys. “Minerva: The Curse of ECDSA Nonces : Systematic Analysis of Lattice Attacks on Noisy Leakage of Bit-Length of ECDSA Nonces”. IACR Transactions on Cryptographic Hardware and Embedded Systems, Vol. 2020, no. 4, Aug. 2020, pp. 281-08, doi:10.13154/tches.v2020.i4.281-308.
Researcher Names: Jan Jancar, Vladimir Sedlacek, Petr Svenda, Marek Sys
Link: https://minerva.crocs.fi.muni.cz/
The Minerva attack is a group of side-channel vulnerabilities in implementations of the ECDSA signature algorithm in a widely used Atmel AT90SC FIPS 140-2 certified smartcard chip and five cryptographic libraries (libgcrypt, wolfSSL, MatrixSSL, SunEC/OpenJDK/Oracle JDK, Crypto++). Vulnerable implementations leak the bit-length of the scalar used in scalar multiplication via timing. Using leaked bit-length, the paper mounts a lattice attack on a 256-bit curve, after observing enough signing operations. The paper proposes two new methods to recover the full private key requiring just 500 signatures for simulated leakage data, 1200 for real cryptographic library data, and 2100 for smartcard data. For the leakage data from the TPM-FAIL paper, the number of required signatures decreased from approximately 40 000 to mere 900. The work also presents an attack on the Athena IDProtect smartcard which was Common Criteria (CC) EAL 4+ certified.